Simpliest network access by active directory group with native MS client?
Please advice me.
I need to make a connection from multiple users to private network according by Active Directory group membership over the existing smb network.
I see a couple of solutions but they aren't suitable:
- OpenVPN with AD auth. -> fine but there is no native client in windows.
- IPSEC+L2TP+mobile clients -> i have tried that several times in previous pfsense versions but no success.
- ISAKMP + mobile clients + AD authentication -- is it possible? is it a working solution ?
May be there is any other solutions?
You should be able to use mobile IKEv2 with EAP-Radius as shown here:
@stephenw10 Thank you for advice.
But there is may only be a maximum of 50 RADIUS clients as Windows Server Standard Edition.
Is there way to escape radius authentication and use only active directory authentication instead ?
Not using IKEv2. LDAP doesn't support the hashed passwords sent by the EAP types we have. I guess you would need EAP-GTC but that is considered weak.
For standard xauth types you have to use IKEv1.
Or change the Windows server version.
I haven't tested it myself but winradius might help with that 50 user limit
You would probably still be afoul of the M$ CALs somewhere.
I say that's a constant regardless of what you do :)